{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,30]],"date-time":"2026-01-30T02:48:45Z","timestamp":1769741325335,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":46,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,4,25]],"date-time":"2025-04-25T00:00:00Z","timestamp":1745539200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,4,26]]},"DOI":"10.1145\/3706598.3713895","type":"proceedings-article","created":{"date-parts":[[2025,4,24]],"date-time":"2025-04-24T03:20:47Z","timestamp":1745464847000},"page":"1-19","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["\"Perfect is the Enemy of Good\": The CISO's Role in Enterprise Security as a Business Enabler"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4331-4272","authenticated-orcid":false,"given":"Kimberly","family":"Ruth","sequence":"first","affiliation":[{"name":"Stanford University, Stanford, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6658-2213","authenticated-orcid":false,"given":"Veronica A.","family":"Rivera","sequence":"additional","affiliation":[{"name":"Stanford University, Stanford, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1359-1722","authenticated-orcid":false,"given":"Gautam","family":"Akiwate","sequence":"additional","affiliation":[{"name":"Stanford University, Stanford, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6611-4447","authenticated-orcid":false,"given":"Aurore","family":"Fass","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbrucken, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4405-0010","authenticated-orcid":false,"given":"Patrick Gage","family":"Kelley","sequence":"additional","affiliation":[{"name":"Google, New York City, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3762-5851","authenticated-orcid":false,"given":"Kurt","family":"Thomas","sequence":"additional","affiliation":[{"name":"Google, Mountain View, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9647-4192","authenticated-orcid":false,"given":"Zakir","family":"Durumeric","sequence":"additional","affiliation":[{"name":"Stanford University, Stanford, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,4,25]]},"reference":[{"key":"e_1_3_3_3_2_2","doi-asserted-by":"crossref","unstructured":"Eirik Albrechtsen and Jan Hovden. 2009. The information security digital divide between information security managers and users. Computers & Security 28 6 (2009) 476\u2013490.","DOI":"10.1016\/j.cose.2009.01.003"},{"key":"e_1_3_3_3_3_2","doi-asserted-by":"crossref","unstructured":"Sultan AlGhamdi Khin\u00a0Than Win and Elena Vlahu-Gjorgievska. 2020. Information security governance challenges and critical success factors: Systematic review. Computers & security 99 (2020) 102030.","DOI":"10.1016\/j.cose.2020.102030"},{"key":"e_1_3_3_3_4_2","doi-asserted-by":"crossref","unstructured":"Debi Ashenden and Angela Sasse. 2013. CISOs and organisational culture: Their own worst enemy? Computers & Security 39 (2013) 396\u2013405.","DOI":"10.1016\/j.cose.2013.09.004"},{"key":"e_1_3_3_3_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/1595676.1595684"},{"key":"e_1_3_3_3_6_2","doi-asserted-by":"publisher","unstructured":"Virginia Braun and Victoria Clarke. 2006. Using thematic analysis in psychology. Qualitative Research in Psychology 3 2 (2006) 77\u2013101. 10.1191\/1478088706qp063oa","DOI":"10.1191\/1478088706qp063oa"},{"key":"e_1_3_3_3_7_2","doi-asserted-by":"crossref","unstructured":"Virginia Braun and Victoria Clarke. 2021. To saturate or not to saturate? Questioning data saturation as a useful concept for thematic analysis and sample-size rationales. Qualitative research in sport exercise and health 13 2 (2021) 201\u2013216.","DOI":"10.1080\/2159676X.2019.1704846"},{"key":"e_1_3_3_3_8_2","doi-asserted-by":"crossref","unstructured":"Virginia Braun and Victoria Clarke. 2022. Conceptual and design thinking for thematic analysis. Qualitative psychology 9 1 (2022) 3.","DOI":"10.1037\/qup0000196"},{"key":"e_1_3_3_3_9_2","unstructured":"Kevin Collier. 2023. Cyberattack cost MGM Resorts about $100 million Las Vegas company says. https:\/\/www.nbcnews.com\/business\/business-news\/cyberattack-cost-mgm-resorts-100-million-las-vegas-company-says."},{"key":"e_1_3_3_3_10_2","unstructured":"Crowdstrike. 2024. The leader in endpoint security. https:\/\/www.crowdstrike.com\/platform\/endpoint-security\/."},{"key":"e_1_3_3_3_11_2","doi-asserted-by":"crossref","unstructured":"Joseph Da\u00a0Silva and Rikke\u00a0Bjerg Jensen. 2022. \"Cyber security is a dark art\": The CISO as Soothsayer. Proceedings of the ACM on Human-Computer Interaction 6 CSCW2 Article 365 (Nov. 2022) 31\u00a0pages.","DOI":"10.1145\/3555090"},{"key":"e_1_3_3_3_12_2","unstructured":"Gartner. 2023. Gartner Forecasts Global Security and Risk Management Spending to Grow 14% in 2024. https:\/\/www.gartner.com\/en\/newsroom\/press-releases\/2023-09-28-gartner-forecasts-global-security-and-risk-management-spending-to-grow-14-percent-in-2024."},{"key":"e_1_3_3_3_13_2","doi-asserted-by":"crossref","unstructured":"Marilu Goodyear Holly\u00a0T. Goerdel Shannon Portillo and Linda Williams. 2010. Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers. Available at SSRN 2187412 (2010).","DOI":"10.2139\/ssrn.2187412"},{"key":"e_1_3_3_3_14_2","unstructured":"Google. 2024. Overview of Event Threat Detection. https:\/\/cloud.google.com\/security-command-center\/docs\/concepts-event-threat-detection-overview."},{"key":"e_1_3_3_3_15_2","unstructured":"Rohan Goswami. 2023. SEC sues SolarWinds over massive cyberattack alleging fraud and weak controls. https:\/\/www.cnbc.com\/2023\/10\/31\/solarwinds-defrauded-investors-about-cybersecurity-sec-alleges.html."},{"key":"e_1_3_3_3_16_2","unstructured":"Andy Greenberg and Matt Burgess. 2024. The Mystery of \u2018Jia Tan \u2019 the XZ Backdoor Mastermind. https:\/\/www.wired.com\/story\/jia-tan-xz-backdoor\/."},{"key":"e_1_3_3_3_17_2","doi-asserted-by":"crossref","unstructured":"Husam Haqaf and Murat Koyuncu. 2018. Understanding key skills for information security managers. International Journal of Information Management 43 (2018).","DOI":"10.1016\/j.ijinfomgt.2018.07.013"},{"key":"e_1_3_3_3_18_2","first-page":"2311","volume-title":"USENIX Security","author":"Hielscher Jonas","year":"2023","unstructured":"Jonas Hielscher, Uta Menges, Simon Parkin, Annette Kluge, and M.\u00a0Angela Sasse. 2023. \u201cEmployees Who Don\u2019t Accept the Time Security Takes Are Not Aware Enough\u201d: The CISO View of Human-Centred Security. In USENIX Security. USENIX Association, Anaheim, CA, 2311\u20132328."},{"key":"e_1_3_3_3_19_2","first-page":"131","volume-title":"Symposium on Usable Privacy and Security (SOUPS 2023)","author":"Hielscher Jonas","year":"2023","unstructured":"Jonas Hielscher, Markus Sch\u00f6ps, Uta Menges, Marco Gutfleisch, Mirko Helbling, and M.\u00a0Angela Sasse. 2023. Lacking the Tools and Support to Fix Friction: Results from an Interview Study with Security Managers. In Symposium on Usable Privacy and Security (SOUPS 2023). USENIX Association, Anaheim, CA, 131\u2013150."},{"key":"e_1_3_3_3_20_2","first-page":"3093","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Ho Grant","year":"2021","unstructured":"Grant Ho, Mayank Dhiman, Devdatta Akhawe, Vern Paxson, Stefan Savage, Geoffrey\u00a0M Voelker, and David Wagner. 2021. Hopper: Modeling and detecting lateral movement. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 3093\u20133110."},{"key":"e_1_3_3_3_21_2","first-page":"469","volume-title":"26th USENIX security symposium (USENIX security 17)","author":"Ho Grant","year":"2017","unstructured":"Grant Ho, Aashish Sharma, Mobin Javed, Vern Paxson, and David Wagner. 2017. Detecting credential spearphishing in enterprise settings. In 26th USENIX security symposium (USENIX security 17). USENIX Association, Vancouver, BC, 469\u2013485."},{"key":"e_1_3_3_3_22_2","doi-asserted-by":"crossref","unstructured":"Val Hooper and Jeremy McKissack. 2016. The emerging role of the CISO. Business Horizons 59 6 (2016) 585\u2013591.","DOI":"10.1016\/j.bushor.2016.07.004"},{"key":"e_1_3_3_3_23_2","first-page":"1235","volume-title":"USENIX Security","author":"Huaman Nicolas","year":"2021","unstructured":"Nicolas Huaman, Bennet\u00a0von Skarczinski, Christian Stransky, Dominik Wermke, Yasemin Acar, Arne Drei\u00dfigacker, and Sascha Fahl. 2021. A Large-Scale Interview Study on Information Security in and Attacks against Small and Medium-sized Enterprises. In USENIX Security. USENIX Association, 1235\u20131252."},{"key":"e_1_3_3_3_24_2","doi-asserted-by":"crossref","unstructured":"Allen\u00a0C Johnston and Ron Hale. 2009. Improved security through information security governance. Commun. ACM 52 1 (2009) 126\u2013129.","DOI":"10.1145\/1435417.1435446"},{"key":"e_1_3_3_3_25_2","first-page":"7231","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Lassak Leona","year":"2024","unstructured":"Leona Lassak, Elleen Pan, Blase Ur, and Maximilian Golla. 2024. Why Aren\u2019t We Using Passkeys? Obstacles Companies Face Deploying FIDO2 Passwordless Authentication. In 33rd USENIX Security Symposium (USENIX Security 24). USENIX Association, Philadelphia, PA, 7231\u20137248."},{"key":"e_1_3_3_3_26_2","unstructured":"Michelle\u00a0R. Lowry Anthony Vance and Marshall\u00a0D. Vance. 2021. Inexpert Supervision: Field Evidence on Boards\u2019 Oversight of Cybersecurity. Available at SSRN 4002794 (2021)."},{"key":"e_1_3_3_3_27_2","unstructured":"Stuart Madnick. 2024. What\u2019s Behind the Increase in Data Breaches? https:\/\/www.wsj.com\/tech\/cybersecurity\/why-are-cybersecurity-data-breaches-still-rising-2f08866c."},{"key":"e_1_3_3_3_28_2","unstructured":"Sean Maynard Mazino Onibere and Atif Ahmad. 2018. Defining the strategic role of the Chief Information Security Officer. Pacific Asia Journal of the Association for Information Systems 10 3 (2018) 3."},{"key":"e_1_3_3_3_29_2","doi-asserted-by":"crossref","unstructured":"Henock\u00a0Mulugeta Melaku. 2023. A dynamic and adaptive cybersecurity governance framework. Journal of Cybersecurity and Privacy 3 3 (2023) 327\u2013350.","DOI":"10.3390\/jcp3030017"},{"key":"e_1_3_3_3_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW61312.2024.00058"},{"key":"e_1_3_3_3_31_2","unstructured":"Microsoft. 2024. Microsoft Defender for Cloud. https:\/\/www.microsoft.com\/en-us\/security\/business\/cloud-security\/microsoft-defender-cloud."},{"key":"e_1_3_3_3_32_2","first-page":"1","volume-title":"Workshop on the Economics of Information Security","author":"Moore Tyler","year":"2016","unstructured":"Tyler Moore, Scott Dynes, and Frederick\u00a0R Chang. 2016. Identifying How Firms Manage Cybersecurity Investment. In Workshop on the Economics of Information Security. 1\u201327."},{"key":"e_1_3_3_3_33_2","unstructured":"Lily\u00a0Hay Newman. 2023. Okta\u2019s Latest Security Breach Is Haunted by the Ghost of Incidents Past. https:\/\/www.wired.com\/story\/okta-support-system-breach-disclosure\/."},{"key":"e_1_3_3_3_34_2","doi-asserted-by":"crossref","unstructured":"Lorelli\u00a0S Nowell Jill\u00a0M Norris Deborah\u00a0E White and Nancy\u00a0J Moules. 2017. Thematic analysis: Striving to meet the trustworthiness criteria. International journal of qualitative methods 16 1 (2017) 1609406917733847.","DOI":"10.1177\/1609406917733847"},{"key":"e_1_3_3_3_35_2","doi-asserted-by":"publisher","DOI":"10.1145\/3290605.3300663"},{"key":"e_1_3_3_3_36_2","unstructured":"Harry Robertson. 2023. ION brings clients back online after ransomware attack. https:\/\/www.reuters.com\/technology\/ion-starts-bring-clients-back-online-after-ransomware-attack-source-2023-02-07\/."},{"key":"e_1_3_3_3_37_2","doi-asserted-by":"crossref","unstructured":"Zeynep Sahin and Anthony Vance. 2025. What do we need to know about the Chief Information Security Officer? A literature review and research agenda. Computers & Security 148 (2025) 104063.","DOI":"10.1016\/j.cose.2024.104063"},{"key":"e_1_3_3_3_38_2","doi-asserted-by":"crossref","unstructured":"Stef Schinagl and Abbas Shahim. 2020. What do we know about information security governance? \u201cFrom the basement to the boardroom\u201d: towards digital security governance. Information & Computer Security 28 2 (2020) 261\u2013292.","DOI":"10.1108\/ICS-02-2019-0033"},{"key":"e_1_3_3_3_39_2","doi-asserted-by":"crossref","unstructured":"Zahoor\u00a0Ahmed Soomro Mahmood\u00a0Hussain Shah and Javed Ahmed. 2016. Information security management needs more holistic approach: A literature review. International journal of information management 36 2 (2016) 215\u2013225.","DOI":"10.1016\/j.ijinfomgt.2015.11.009"},{"key":"e_1_3_3_3_40_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24003"},{"key":"e_1_3_3_3_41_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.23107"},{"key":"e_1_3_3_3_42_2","volume-title":"International Conference on Information Systems","author":"Vance Anthony","year":"2022","unstructured":"Anthony Vance, Michelle Lowry, and Zeynep Sahin. 2022. Taking a Seat at the Table: The Quest for CISO Legitimacy. In International Conference on Information Systems."},{"key":"e_1_3_3_3_43_2","first-page":"46","volume-title":"Information security","author":"Warkentin Merrill","year":"2016","unstructured":"Merrill Warkentin and Allen\u00a0C Johnston. 2016. IT governance and organizational design for security management. In Information security. Routledge, 46\u201368."},{"key":"e_1_3_3_3_44_2","unstructured":"Tom Warren. 2024. Microsoft \u2018senior leadership\u2019 emails accessed by Russian SolarWinds hackers. https:\/\/www.theverge.com\/2024\/1\/19\/24044561\/microsoft-senior-leadership-emails-hack-russian-security-attack."},{"key":"e_1_3_3_3_45_2","unstructured":"Wiz. 2024. Detect Investigate and Respond to Cloud Threats. https:\/\/www.wiz.io\/lp\/nb-cdr-b."},{"key":"e_1_3_3_3_46_2","volume-title":"USENIX Security","author":"Wolf Flynn","year":"2021","unstructured":"Flynn Wolf, Adam\u00a0J. Aviv, and Ravi Kuber. 2021. Security Obstacles and Motivations for Small Businesses from a CISO\u2019s Perspective. In USENIX Security. USENIX Association."},{"key":"e_1_3_3_3_47_2","doi-asserted-by":"crossref","unstructured":"Moti Zwilling. 2022. Trends and challenges regarding cyber risk mitigation by CISOs\u2014A systematic literature and experts\u2019 opinion review based on text analytics. Sustainability 14 3 (2022) 1311.","DOI":"10.3390\/su14031311"}],"event":{"name":"CHI 2025: CHI Conference on Human Factors in Computing Systems","location":"Yokohama Japan","acronym":"CHI '25","sponsor":["SIGCHI ACM Special Interest Group on Computer-Human Interaction"]},"container-title":["Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3706598.3713895","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3706598.3713895","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,4]],"date-time":"2025-07-04T04:58:12Z","timestamp":1751605092000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3706598.3713895"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,25]]},"references-count":46,"alternative-id":["10.1145\/3706598.3713895","10.1145\/3706598"],"URL":"https:\/\/doi.org\/10.1145\/3706598.3713895","relation":{},"subject":[],"published":{"date-parts":[[2025,4,25]]},"assertion":[{"value":"2025-04-25","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}